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<doc> 

<regexp-query> 

<name>Possible SGID Exploit</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 



<line>.*exec args= . *pid=\ ( (\d+) \) ; ppid*\ (\d+\) ; uid=\{\d+\)- euid- 
\(\d+\); gid=\{[l-9]\d*\); egid=\(0\).*</line> 
</next> 
<next> 

<line>.*args-\([\-\w\\\/ ) + \); pid-\{\d+\); ppid=\ (%1*\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args=\(([\-\w\\\/ ] +) \) . *ppid=\ . *</i ine > 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 

</action> 
</actionpair> 
</procraatch> 
<annotation> 

<text>Possible SGID Exploit: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>Possible SUID Exploit</name> 
<properties> 

<priority>10< /priority> 
</properties> 
<pattern> 

<next> 

<line>.*exec args-. *pid=\ { (\d+) \) ; ppid=\ (\d+\) ; uid=\ { [ 1-9] \d+\) ; 
euid=\(0\) . +</line> 
</next> 
<next> 

<line>.*args=\(.+\) ; pid=\(\d+\); ppid=\ . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args=A(. + )\); pid=\(\d+\); ppid=\ (%1%\) . *</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 
</action> 

</procmatch> 

<annotation> 

<text>Possible SUID Exploit: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>All Processes</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line> . +proclog. *args=\ ( ( [\-\ . \w\\\/ ] +) \) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args=\{ ([\-\.\w\\\/ ] +) \) . *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
U " </procmatch> 

<annotation> 

<text>Process started: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



m 



<doc> 

<regexp-query> 

<name>Find Processes. . .</name> 
<properties> 

<priority>10</priority> 
</properties> 
<args> 

<args>.+</args> 

<pid>\d+</pid> 

<ppid>\d+</ppid> 

<uid>\d+</uid> 

<euid>\d+</euid> 
_ <gid>\d+</gid> 
O <egid>\d+</egid> 
y3 </args> 
fy <pattern> 
45 <next> 

<line>.*args=\(%args%\); pid=\ (%pid%\) ; ppid=\ (%ppid%\ ) ; 
* m uid=\(%uid%\); euid=\ { %euid%\) ; gid=\ (%gid%\) ; egid=\ (%egid%\) . *</line> 

SjJ </next> 
4~ </pattern> 

<procmatch> 

5 <actionpair> 

Q <line>.*args=\((.+)\); pid. + </line> 

%A <action> 

| £ l <highlight/> 

JlJ <delete/> 

r fJ <varop var="agg">%l%</varop> 

; ^=l </action> 
M= </actionpair> 

</procmatch> 
<annotation> 

<text>Process started: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>All Shell-spawned Processes</name> 
<properties> 

<priority>10< /priori ty> 
</properties> 
<pattern> 

<next> 

<line>.*exec args=\ (-sh\) ; pid=\ ( (\d+) \) . *</line> 

</next> 

<next> 

<line>.*args=\{([\-\w\\\/ ]+}\) . *ppid=\ (%1%\) .*</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. *args=\ ( ( [\-\w\\\/ ] +J \) . *ppid=\ (%1%\) . *</line> 
<action> 

<highlight/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Executed from a shell: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 
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<doc> 

<regexp-query> 

<name> Incoming Connect ions </name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>. ^incoming connection f rom=\ ( . +\) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. ^incoming connection from=\ ((.+):(.+) \) 
to=\((.+) : (.+)\) .*</line> 
<action> 

<highlight/> 
<delete/> 

<varop var= "f romip">%l%</varop> 
<varop var= "f romport ">%2%</varop> 
<varop var= "toip">%3%</varop> 
<varop var= "toport">%4%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Incoming Connection From IP: %fromip% (on port: %fromport%) To 
IP: %toip% (on port: %toport%) </text> 

</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>Keystrokes Entered</name> 

<properties> 

<priority>10</priority> 

</properties> 
<pattern> 

<next> 

<line>.*read stream data, id=\({\d+)\) data=\ ( . +\) . *</line> 
</next> 

<next fromprev= n l"> 

<line>.*read stream data, id=\{%l%\) data=\ ( . *\\0 [ad4) . *\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*read stream data, id=\(%l%\) data*\ ( ( -+) \) - *</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Keystrokes Entered: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 
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<doc> 

cregexp-query> 

<name>Screen Output</name> 
<properties> 

<priority>10</priority> 

</properties> 
<pattern> 

<next> t . t . 

<line>.*write stream data, id=\U\d+)\) data=\ ( . +\) . *</line> 

</next> 

<next fromprev="l"> 

<line>.*write stream data, id=\(%l%\) 
data=\(.*\\0[ad46] .*\) .*</line> 
</next> 
</pattern> 
<procmatch> 

<aCtl °<line>.*write stream data, id=\(%l%\) data=\ ( ( . + ) \) . *</line> 

<action> 

<highlight/> 
<delete/> 

<varop var=*"agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Output to screen: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>Find Monitored</name> 
<properties> 

<priority>10</priority> 
</properties> 
<args> 

< f i le_name> . +< / f il e_name> 

<pid>\d+</pid> 
</args> 
<pattern> 

<next> 

<line>.*monitored file opened name=\ (%f ile_name%\) 
pid=\(%pid%\) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. ^monitored file opened name=\ ( ( . +) \) 

pid=\{ (.+)\) .*</line> 

<action> 

<highlight/> 
<delete/> 

<varop var=" filename ">%l%</varop> 
<yarop var="pidvar">%2%</varop> 
</action> 
</actioripair> 
</procmatch> 
<annotation> 

<text>File Opened: %filename% (from pid: %pidvar%) </text> 
</annotation> 
</regexp-query> 
</doc> 



